RSA Mechanism Remap for FIPS Compliance

Under FIPS 186-3/4, the only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes. This means that RSA PKCS and X9.31 key generation is no longer approved for operation in a FIPS-compliant HSM.

Supported Mechanisms FIPS-mode Allowed Mechanisms
PKCS, X9.31, 186-3 with primes, 186-3 with aux primes 186-3 with primes, 186-3 with aux primes

Luna HSM Client allows you to automatically remap calls to these old, less-secure mechanisms, to new mechanisms that are FIPS-approved. This remapping can allow you to operate the HSM securely without having to rewrite your applications. With this feature enabled, the following remapping is applied:

>Calls for PKCS key generation using CKM_RSA_PKCS_KEY_PAIR_GEN are remapped to CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN, which uses 186-3 Prime key generation.

>Calls for X9.31 key generation using CKM_RSA_X9_31_KEY_PAIR_GEN are remapped to CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN, which uses 186-3 Aux Prime key generation

Effects of Remapping in FIPS Mode

When the Luna HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to OFF) or the application partition is in FIPS mode (partition policy 43: Allow non-FIPS algorithms set to 0) and RSA remapping is enabled:

>CKM_RSA_PKCS_KEY_PAIR_GEN appears in the C_GetMechanismList output.

>C_GetMechanismInfo for CKM_RSA_PKCS_KEY_PAIR_GEN returns the default information from the client library.

>CKM_RSA_X9_31_KEY_PAIR_GEN appears in the C_GetMechanismList output.

>C_GetMechanismInfo for CKM_RSA_X9_31_KEY_PAIR_GEN returns the default information from the client library.

Applying the Mechanism Remapping

Mechanism remapping has been enabled automatically in recent versions of the Luna HSM Client. Refer to the following table for older version requirements.

Luna HSM Firmware Luna HSM Client To apply RSA mechanism remapping
Luna HSM Firmware 7.7.1 or newer Luna HSM Client 10.4.0 or newer If you have FIPS mode set on individual partitions (partition policy 43: Allow non-FIPS algorithms set to 0), remapping is automatic; the RSAKeyGenMechRemap configuration setting is ignored.
Luna HSM Client 10.1.0 or newer

If you have FIPS mode set on the entire HSM (HSM policy 12: Allow non-FIPS algorithms set to OFF), remapping is automatic; the RSAKeyGenMechRemap configuration setting is ignored.

NOTE   Remapping on individual partitions requires Luna HSM Client 10.4.0 or newer.

Luna HSM Firmware 7.7.0 or older Luna HSM Client 10.1.0 or newer Remapping is automatic; the RSAKeyGenMechRemap configuration setting is ignored.
Luna HSM Client 7.4.0 or older

Remapping must be enabled using the RSAKeyGenMechRemap setting in the Luna HSM Client configuration file (see Configuration File Summary):

>Linux:

Misc = {
  RSAKeyGenMechRemap=1;
}

>Windows:

[Misc]
RSAKeyGenMechRemap=1